IPv6 Security Threats and Mitigations - APRICOT · IPv6 Security Threats and Mitigations ......

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Rohit Bothra ([email protected])

Dilip Sai Chandar([email protected])

Network Consulting Engineer, Cisco

IPv6 Security Threats and Mitigations

APRICOT Feb-March 2012


Agenda

IPv6 Primer

Security Issues Shared by IPv4 and IPv6

Security Issues Specific to IPv6

Enforcing Security policies

Cisco IPv6 Products

Demo: IPv6 DoS attack

References



IPv4 and IPv6 Header Comparison

Fragment Offset

Flags

Total Length Type of Service

IHL

Padding Options

Destination Address

Source Address

Header Checksum Protocol Time to Live

Identification

Version

IPv4 Header

Next Header

Hop Limit

Flow Label Traffic Class

Destination Address

Source Address

Payload Length

Version

IPv6 Header

Field’s Name Kept from IPv4 to IPv6

Fields Not Kept in IPv6

Name and Position Changed in IPv6

New Field in IPv6 Legend


IPv6 Address Types

Three types of unicast address scopes

FC00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:

FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx

2000:GGGG:GGGG: xxxx:xxxx:xxxx:xxxx ssss:

FFfs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

Interface ―expected‖ to have multiple addresses

Link-Local – Non routable exists on single layer 2 domain (FE80::/64)

Unique-Local (ULA) – Routable with an administrative domain (FC00::/7)

Global – Routable across the Internet (2000::/3)

Multicast addresses begin with FF00::/8


IPv6 Addresses – Unicast and Multicast Examples

Router#sh ipv6 int Ethernet0

Ethernet0 is up, line protocol is up

IPv6 is enabled, link-local address is

FE80::2D0:D3FF:FE81:9000

Global unicast address(es):

2001:DB8:12::1, subnet is 2001:DB8:12::/64

Joined group address(es):

FF02::1

FF02::2

FF02::5

FF02::D

FF02::16

FF02::1:FF00:1

FF02::1:FF81:9000

All nodes

All routers

OSPF Routers

All PIM Routers

All MLDv2 capable Routers

Global

Link-Local


ICMPv4 vs. ICMPv6

ICMP Message Type ICMPv4 ICMPv6

Connectivity Checks X X

Informational/Error Messaging X X

Fragmentation Needed Notification X X

Address Assignment X

Address Resolution X

Router Discovery X

Multicast Group Management X

Transports ND messages: NS, NA, RS, RA Transports MLD messages: Queries, Reports, …

Covers ICMP (v4) features: Error control, Administration, …


Layer2 remains unchanged

Layer4 (TCP, UDP..) and above unchanged

Same routing protocols: BGP, OSPF, RIP

Only Four major changes

•Larger Addresses (128 bits compared to 32 bits)

•Multiple addresses per host.

•Fixed length header.

•ARP is replaced with ND protocol.

• But lot of security implications.



Reconnaissance in IPv6

Default subnets in IPv6 have 264 addresses

10 Mpps = more than 50 000 years

Public servers will still need to be DNS reachable

Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0, :d09:f00d or simply IPv4 last octet for dual stack)

By compromising hosts in a network, an attacker can learn new addresses to scan

Transition techniques derive IPv6 address from IPv4 address


Reconnaissance in IPv6? Easy with Multicast!

No need for reconnaissance anymore

3 site-local multicast addresses

FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers

Several link-local multicast addresses

FF02::1 all nodes, FF02::2 all routers

2001:db8:2::50

2001:db8:1::60

2001:db8:3::70

Attacker FF05::1:3

Source Destination Payload

DHCP Attack

http://www.iana.org/assignments/ipv6-multicast-addresses/


Preventing Reconnaissance with IPv6 Multicast

The site-local/anycast addresses must be filtered at the border in order to make them unreachable from the outside

ACL block ingress/egress traffic to

Block FEC0::/10 (deprecated site-local addresses)

Permit mcast to FF02::/16 (link-local scope)

Permit mcast to FF0E::/16 (global scope)

Block all mcast

Organization A

Organization B

ipv6 access-list NO_RECONNAISSANCE

deny any fec0::/10

permit any ff02::/16

permit any ff0e::/16

deny any ff00::/8

permit any any


Neighbor Discovery Issue#1 Stateless Autoconfiguration

1. RS:

Src = ::

Dst = All-Routers multicast Address

ICMP Type = 133

Data = Query: please send RA

2. RA:

Src = Router Link-local Address

Dst = All-nodes multicast address

ICMP Type = 134

Data= options, prefix, lifetime, etc

2. RA 2. RA 1. RS

RA/RS w/o Any Authentication Gives Exactly Same Level of Security as ARP for IPv4 (None)

Router Solicitations Are Sent by Booting Nodes to Request Router Advertisements for Stateless Address Auto-Configuring

Attack Tool: fake_router6 Can Make Any IPv6 Address the Default Router


Neighbor Discovery Issue#2 Neighbor Solicitation

Src = A

Dst = Solicited-node multicast of B

ICMP type = 135

Data = link-layer address of A

Query: what is your link address?

A B

Src = B

Dst = A

ICMP type = 136

Data = link-layer address of B

A and B Can Now Exchange

Packets on This Link

Security Mechanisms Built into Discovery Protocol = None => Very similar to ARP

Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN...


Neighbor Discovery Issue#3 Duplicate Address Detection

Src = ::

Dst = Solicited-node multicast of A

ICMP type = 135

Data = link-layer address of A

Query = what is your link address?

A B From RFC 2462: « If a Duplicate @ Is Discovered… the Address Cannot Be Assigned to the Interface» What If: Use MAC@ of the Node You Want to DoS and Claim Its IPv6 @

Attack Tool: Dos-new-ipv6

Duplicate Address Detection (DAD) Uses neighbor solicitation to verify the existence of an address to be configured


Secure Neighbor Discovery (SEND) RFC 3971

Certification paths

Anchored on trusted parties, expected to certify the authority of the routers on some prefixes

Cryptographically Generated Addresses (CGA)

IPv6 addresses whose interface identifiers are cryptographically generated

RSA signature option

Protect all messages relating to neighbor and router discovery

Timestamp and nonce options

Prevent replay attacks


ND threat Mitigation using SEND


Protecting Against Rogue RA

Port ACL (see later) blocks all ICMPv6 Router Advertisements from hosts

interface FastEthernet3/13

switchport mode access

ipv6 traffic-filter ACCESS_PORT in

access-group mode prefer port

RA-guard feature in host mode (12.2(33)SXI4

& 12.2(54)SG ): also dropping all RA received on this port

interface FastEthernet3/13

switchport mode access

ipv6 nd raguard

access-group mode prefer port

RA

RA

RA

RA

RA


L3 Spoofing in IPv6

Access

Layer

Spoofed IPv6

Source Address

X IPv6

Intranet/Internet

No Route to Src Addr prefix => Drop

Access

Layer

Spoofed IPv6

Source Address

X IPv6

Intranet/Internet

No Route to Src Addr prefix out the packet inbound interface => Drop

uRPF Loose Mode

uRPF Strict Mode

uRPF Remains the Primary Tool for Protecting Against L3 Spoofing

ipv6 verify unicast source reachable-via rx

ipv6 verify unicast source reachable-via any


DHCPv6 Threats

Note: use of DHCP is announced in Router Advertisements

Rogue devices on the network giving misleading information or consuming resources (DoS)

Rogue DHCPv6 client and servers on the link-local multicast address (FF02::1:2): same threat as IPv4

Rogue DHCPv6 servers on the site-local multicast address (FF05::1:3): new threat in IPv6

Scanning possible if leased addresses are consecutive


DHCPv6 Threat Mitigation

Rogue clients and servers can be mitigated by using the authentication option in DHCPv6

There are not many DHCPv6 client or server implementations using this today

Port ACL can block DHCPv6 traffic from client ports

deny udp any eq 547 any eq 546


Sniffing

IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4

Application layer attacks

The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent.

Rogue devices

Rogue devices will be as easy to insert into an IPv6 network as in IPv4

Man-in-the-Middle Attacks (MITM)

Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4

Flooding

Flooding attacks are identical between IPv4 and IPv6



IPSec is not deployed as the IPv6 Security panacea ―IPv6 has improved security as a result of its mandatory Ipsec

support” -myth

IPsec already existed for IPv4

The mandatory-ness of IPsec for IPv6 is just words on paper.

There are problems with its deployment as a general end-to-end security mechanism.

Deployment of IPsec(v6) has similar problems as those of IPsec(4). As a result, IPsec(v6) is not deployed as a general end-to-end security mechanism.


No IPv6 network = no problem ? Wrong !

IPv6 enabled by default on all modern OSes

Applications prefer IPv6 addresses

―Blackhat‖ may not be malicious (Windows with ICS)

Time to think about deploying IPv6

IPv4 Internet

Client

Dualstack Server

IPv4-only segment

Inject RA

IPv6

I have IPv6 ! Let’s use it !


Dual Stack with Enabled IPv6 by Default

Your host:

IPv4 is protected by your favorite personal firewall...

IPv6 is enabled by default (Win7, Linux, Mac OS/X, ...)

Your network:

Does not run IPv6

Your assumption:

I’m safe

Reality

You are not safe

Attacker sends Router Advertisements

Your host configures silently to IPv6

You are now under IPv6 attack

=> Probably time to think about IPv6 in your network


IPv6 Privacy Extensions (RFC 3041)

Temporary addresses for IPv6 host client application, e.g. web browser

Inhibit device/user tracking

Random 64 bit interface ID, then run Duplicate Address Detection before using it. Rate of change based on local policy

supported in Windows and MacOS (choice isn't available to end user)

2001

/32 /48 /64 /23

Interface ID

Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back)


IPv6 Header Manipulation

Unlimited size of header chain (spec-wise) can make filtering difficult

Potential DoS with poor IPv6 stack implementations

More boundary conditions to exploit

Can I overrun buffers with a lot of extension headers?

Perfectly Valid IPv6 Packet According to the Sniffer

Destination Options Header Should Be the Last

Header Should Only Appear Once

Destination Header Which Should Occur at Most Twice

See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html


Parsing the Extension Header Chain Fragmentation Matters!

Extension headers chain can be so large than it is fragmented!

Finding the layer 4 information is not trivial in IPv6

Skip all known extension header

Until either known layer 4 header found => SUCCESS

Or unknown extension header/layer 4 header found... => FAILURE

Or end of extension header => FAILURE

IPv6 hdr HopByHop Routing Destination Destination Fragment1

IPv6 hdr HopByHop Fragment2 TCP Data

Layer 4 header is in 2nd fragment


Filtering Extension Headers

Determine what extension headers will be allowed through the access control device

IPv6 headers and optional extensions need to be scanned to access the upper layer protocols (UPL)

May require searching through several extensions headers

Known extension headers (HbH, AH, RH, MH, destination) are scanned until:

Layer 4 header found

Unknown extension header is found

Important: a router must be able to filter both option header and L4 at the same time



Designing Security Policy


Cisco IOS IPv6 ACL A Trivial Example

Prefix: 2001:db8:2c80:1000::/64

IPv6 Internet

2001:db8:2c80:1000::1

others

Serial 0

ipv6 access-list MY_ACL

remark basic anti-spoofing

deny 2001:db8:2c80:1000::/64 any

permit any 2001:db8:2c80:1000::1/128

interface Serial 0

ipv6 traffic-filter MY_ACL in

Filtering inbound traffic to one specific destination address


CoPP: Control Plane Policing A router can be logically divided into three functional

components or planes:

1. Data plane—packets going through the router

2. Control plane—routing protocols gluing the network together

3. Management plane—tools and protocols used to manage the device

Route Processor contains control and management planes


Problem Definition

Network uptime is increasingly becoming more vital to companies.

Denial of Service (DoS) attacks are just one example of a network assault on the control plane.

DoS attacks target the network infrastructure by generating IP traffic streams to the control plane at very high rates.

A DoS attack targeting a Route Processor (RP) can cause high Route Processor CPU utilization.


Protects the Control Plane from DoS attacks

Uses QoS to identify and rate limit traffic.

Allows specification of types of packets (traffic-classes) & the desired rate to be sent to CPU.

CPU cycles are used only for packets matching the criteria, availability of the network is greatly increased.

Control plane treated as a separate entity

CoPP protects control / management planes:

1. Ensures routing stability

2. Reachability

3. Packet delivery

4. CP policies are separate from DP and don’t impact data plane.

Solution - Control Plane Policing


Which packets are we talking about?

CPU bound packets that will be policed :

- L2 Fwd Packets (ARP, IPX, Broadcast, etc)

- L2 Control: Keepalives and control packets for HDLC, PPP, FR LMI, ATM control ILMI, X.25 and ISDN call setup, STP BPDUs

- L3 Control: Routing protocol control packets

- L3 Fwd Packets (telnet, SNMP, HTTP, ICMP, etc)

- Control Packet (BPDU, CDP, IGMP, DHCP, etc)

- L3 and L2 Miscellaneous:


Configuring CoPP

4 step process:

1. Enable global QoS

2. Classify the traffic

3. Define the QoS policy

4. Apply the policy to control plane ―interface‖


Sample Traffic Classification

1. Critical Traffic—routing protocols, control plane no rate-limit

2. Important Traffic—SNMP, SSH, AAA, NTP, management plane, maybe rate-limit

3. Normal Traffic—other expected non-malicious traffic, ping and other ICMP, rate-limit

4. Undesirable—handling of potentially malicious traffic we expect to see, fragments and the like, drop this traffic

5. Default—non-IP traffic or any other non identified IP traffic, maybe rate-limit



Cisco IOS 12.4/12.4T

Cisco 800 Series Routers










Cisco 7500 Series Routers (EoL)

Cisco IOS 12.2S family

Cisco ASR1000 series

Cisco 72/7300 Series Routers

Cisco 75/7600 Series Routers


Catalyst 3750/3560/2960 Series

Catalyst 4500 Series

Catalyst 6500 Series

Cisco Product Portfolio

ASA Firewall (7.x), FWSM 3.1,

LMS 2.5, CNR 6.2, NFC 5.x, NAM 3.x,

MDS9500 series, GGSN 7.0

Nexus 7000

Cisco IOS 12.0S


Cisco 10720 Series

Cisco IOS-XR

CRS-1, Cisco 12000


Key Take Away

So, nothing much new in IPv6

Reconnaissance: address enumeration replaced by DNS enumeration

Spoofing & bogons: uRPF is our IP-agnostic friend

NDP spoofing: RA guard and more feature coming

ICMPv6 firewalls need to change policy to allow NDP

Extension headers: firewall & ACL can process them

Amplification attacks by multicast mostly impossible

Lack of operation experience may hinder security for a while: training is required

Security enforcement is possible Control your IPv6 traffic as you do for IPv4

Leverage IPsec to secure IPv6 wherever suitable


Summary: Key take away


Summary: Key take away


Source: Cisco Press

Reference & Recommended Reading

www.cisco.com/go/ipv6


Demo: DoS Attack

Attack Type: MLDv2

Solution Applied: CoPP


Thank you.

Date post:	06-May-2018
Category:	Documents
Upload:	hadieu
View:	223 times
Download:	2 times

IPv6 Security Threats and Mitigations - APRICOT · IPv6 Security Threats and Mitigations ......

Documents